API error blamed for Salesforce data leak

Salesforce has warned customers that an API fault could have caused the data leak

It said that the firm became aware of the issue which affects a subset of Marketing Cloud customers

The company said that the code change could have exposed clients' CRM data

CALIFORNIA, U.S. - Popular Software-as-a-service (SaaS) provider Salesforce has blamed an API error and alerted customers of a data leak that it said could have exposed clients' CRM data.

Salesforce said in a statement that it had alerted customers that their information may have been shared with other customers' accounts, due to the API error.

The CRM company said in a security advisory that it became aware of the issue on July 18.

In its advisory, the company added that the error impacted a subset of Marketing Cloud customers using the Marketing Cloud Email Studio and Predictive Intelligence products.

Salesforce revealed in a separate statement that the error was introduced with a code change that it rolled out to Marketing Cloud between June 4 and July 7.

According to the company, The change may have caused a small subset of REST API calls to improperly retrieve or write data from one customer's account to another.

Salesforce pointed out that while the error had been resolved on the same day through an emergency release, some customers could have still experienced data loss.

The data leak raised concerns since Salesforce boasts of some top clients like Maersk, Adidas and VMWare and the Marketing Cloud that was impacted by the API error is a CRM product that the companys clients use to store customer and sales prospect contact details.

Salesforce reportedly sent out an email to customers, in which it said, "Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.

The company said that while there is "no evidence of malicious behavior associated with this issue, that doesn't mean that it didn't occur.

It further added in the email, "We are unable to confirm if your data was viewed or modified by another customer. As a result, we are notifying all potentially impacted customers who accessed the Marketing Cloud during this period. Any organisation whose users accessed the affected products - through either the online UI or REST API calls - may have had their Marketing Cloud data corrupted.